Août 062018

Like many drone geeks out there, I own a flysky fs-i6 to pilot my drone racers.

As 6 chanels is a bit short (both sticks will take 4 chans which leaves you with 2 extra channels only), I wanted to flash my remote with a custom firmware.

I decided to use this fw : and/or this one .

Issue is that using my usual usb to serial module, my remote would not be detected.
I check my baud rate (115200), switched rx/tx, but nothing would do.

I suspect that this is down the voltage of my usb serial module (5v versus 3.3v).
I finally decided to use a nano arduino module : i shorted reset to ground, connected rx to rx, tx to tx and voila : remote is detected (when opening port) and I could « program » my remote 🙂

 Posted by at 18 h 10 min
Juin 172018

Been playing with the excellent strarc from Olof.

The basics first:
-to backup a drive/folder to an archive: strarc.exe -cd:C:\ Z:\
-to restore a drive/folder from an archive : strarc.exe -xd:C:\ Z:\

Then, one can backup all files from one logical drive to another (on XP) in one go with this command : strarc.exe -crjd:c:\ | strarc.exe -xd:d:\.
Note the r parameter which will take care of loaded registry hives.
Ideally, rather than backuping a « hot » logical disk (i.e in used), you would use a Volume shadow copy as source (see a discussion here).

Dont forget that when you decide to backup files (i.e not a full physical disk), you need to take care of the MBR on the target disk (hint : grub4dos) and ensure that registry hives are included.

You can also perform such a backup over the network:
-On the « server / host A » side : nc -v -l -p 9000 -e « strarc -cd:x:\my_folder\ »
-On the « client / host B » side : nc 9000 > (update the IP obviously with your « server » IP).

Host B will connect to host A (listening on port 9000) and dump all received data (from Host A) to

 Posted by at 13 h 22 min  Tagged with:
Juin 112018

MakeIso will create an ISO from a source folder.

Supports multi-boot iso : x86 and EFI.
Support ISO9660, UDF, Joliet or any combination of these 3 filesystems.
Supports isolinux (checksum will be taken care of).
Tested successfully with Grub4Dos.

Mkiso is native (no external dependencies), standalone, built in on windows builtin imapi2.

MkIso is also part of CloneDisk.

Questions, feedback, requests welcome here.

Download here.


 Posted by at 20 h 06 min
Juin 112018

Updated version following up on this article : added netcat support

Download from here

RAW can be :
-A logical drive in the form of \\.\X:
-A physical drive in the form of \\.\physicaldriveX
-A volume in the form of \\?\Volume{e26e7b15-122a-11e7-82bf-806e6f6e6963}
-A volume snapshot in the form of \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
-A disk image file in the form of c:\temp\disk.img

DEVIO or NETCAT will be IP:PORT (ex:

NETCAT command line:
Use nc to dump incoming datas to a file (i.e RAW to NETCAT) -> nc.exe -v -n -l -p 9000 > c:\temp\disk.img
Use nc to send datas from a file (i.e NETCAT to RAW) -> nc -l -v -p 9000 < c:\temp\disk.img

DEVIO (RAW to DEVIO or DEVIO TO RAW) command line:
A logical drive -> devio 9000 \\.\X:
A physical drive -> devio 9000 \\.\PhysicalDriveX
A physical drive and a partition (starting a 1) -> devio 9000 \\.\PhysicalDriveX 2
A file (must exist and sized according to your needs) -> devio 9000 c:\temp\disk.img 0 0

 Posted by at 19 h 41 min
Fév 032018

A native app is an app that will be launched as soon as the kernel initialization is completed.

It will be launched (in user mode) by the session manager (smss.exe) thru the registry key HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute(run at every boot) or HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\setupexecute(run once only).

A native app can only use NT API functions (ntdll.dll) and not the Windows API functions.

Possible usages :
nativereg createkey \Registry\Machine\SYSTEM\Setup key1
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test0 8 REG_RND_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test1 toto REG_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test2 112233AABBCC REG_BINARY
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test3 666 REG_DWORD
nativereg deletevalue \Registry\Machine\SYSTEM\Setup\key1 test1
nativereg deletekey \Registry\Machine\SYSTEM\Setup\key1

The tool is 32 bits (a 64 bits may come later).
It works on XP and up.

Discussion here.


Fév 032018

From an offline SAM hive (could be from winpe), run the below command, reboot and log in with a blank password.
CAREFULL : make a backup of your hive first !

OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 160
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 172

See here for more details about setvaluebyteat details.

000003e8 is my custom local admin account.
000001f4 would be the default windows account.
0xA0 (160) and 0xAC (170) are the offset for the LM and NTLM hash lengths: setting this to 0 effectively set the password to blank.

Use the below command line to enum accounts in your SAM db.

OfflineReg-win32 "c:\windows\system32\config\SAM" SAM\Domains\Account\Users enumkeys

 Posted by at 14 h 45 min